Arne Nordmann,Peter Munk

DOI: https://doi.org/10.1145/3239372.3239373

2018-10-14

Abstract:Mastering the complexity of safety assurance for modern, software-intensive systems is challenging in several domains, such as automotive, robotics, and avionics. Model-based safety analysis techniques show promising results to handle this challenge by automating the generation of required artifacts for an assurance case. In this work, we adapt prominent approaches and propose facilitation of SysML models with component fault trees (CFTs) to support the fault tree analysis (FTA). While most existing approaches based on CFTs are only targeting the system topology, e. g., UML Class Diagrams, we propose an integration of CFTs with SysML Internal Block Diagrams as well as SysML Activity Diagrams. We conclude with best practices and lessons learned that emerged from applying our approach to automotive use-cases.

Kai Hoefig,Andreas Joanni,Marc Zeller,Francesco Montrone,Martin Rothfelder,Rakshith Amarnath,Peter Munk,Arne Nordmann

DOI: https://doi.org/10.48550/arXiv.2105.15015

2021-05-31

Software Engineering

Abstract:The importance of mission or safety critical software systems in many application domains of embedded systems is continuously growing, and so is the effort and complexity for reliability and safety analysis. Model driven development is currently one of the key approaches to cope with increasing development complexity, in general. Applying similar concepts to reliability, availability, maintainability and safety (RAMS) analysis activities is a promising approach to extend the advantages of model driven development to safety engineering activities aiming at a reduction of development costs, a higher product quality and a shorter time-to-market. Nevertheless, many model-based safety or reliability engineering approaches aim at reducing the analysis complexity but applications or case studies are rare. Therefore we present here a large scale industrial case study which shows the benefits of the application of component fault trees when it comes to complex safety mechanisms. We compare the methodology of component fault trees against classic fault trees and summarize benefits and drawbacks of both modeling methodologies.

Rongyao Cai,Xiao Xv,Zhengming Lu,Kexin Zhang,Yong Liu

DOI: https://doi.org/10.1109/isas61044.2024.10552597

2024-01-01

Abstract:Fault tree analysis is the most commonly used methodology in industrial safety analysis to predict the probability or frequency of system failure. Although fault tree analysis has been proposed for more than six decades, the assumptions used in most commercial fault tree analysis codes have not changed significantly, which limits the ability of the method to represent design, operation, and maintenance characteristics in the context of the increasing complexity and specialization of modern industrial systems. The basic setup of traditional fault trees is unable to include dependencies between events, time-varying failures, and repair rate realities to explain complex maintenance strategies. To address the above shortcomings, we propose a fusion tree model combining fault tree and attack tree, and simplify the causal structure of the fusion tree by modularization, and utilize the dynamic Markov model to represent the complex coupling relationship between components or nodes. Finally, we demonstrate the calculation process of fusion tree in pressure vessel systems with temporal control.

Changyong Chu,Weikang Yang,Yajun Chen

DOI: https://doi.org/10.3390/s24186021

IF: 3.9

2024-09-19

Sensors

Abstract:As embedded systems become increasingly complex, traditional reliability analysis methods based on text alone are no longer adequate for meeting the requirements of rapid and accurate quantitative analysis of system reliability. This article proposes a method for automatically generating and quantitatively analyzing dynamic fault trees based on an improved system model with consideration for temporal characteristics and redundancy. Firstly, an "anti-semantic" approach is employed to automatically explore the generation of fault modes and effects analysis (FMEA) from SysML models. The evaluation results are used to promptly modify the system design to meet requirements. Secondly, the Profile extension mechanism is used to expand the SysML block definition diagram, enabling it to describe fault semantics. This is combined with SysML activity diagrams to generate dynamic fault trees using traversal algorithms. Subsequently, parametric diagrams are employed to represent the operational rules of logic gates in the fault tree. The quantitative analysis of dynamic fault trees based on probabilistic models is conducted within the internal block diagram of SysML. Finally, through the design and simulation of the power battery management system, the failure probability of the top event was obtained to be 0.11981. This verifies that the design of the battery management system meets safety requirements and demonstrates the feasibility of the method.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

M. Schäfer,A. Berres,O. Bertram

DOI: https://doi.org/10.1007/s13272-022-00631-0

2022-12-20

CEAS Aeronautical Journal

Abstract:Integrating new functions into the aircraft can, for example, increase performance or reduce fuel consumption. Since the installation of such additional functions increases the overall aircraft complexity, it is crucial to adapt methods and tools that support the development and ensure traceability, consistency, and verifiability. In this context, model-based systems engineering and the associated Systems Modeling Language (SysML) have been established as a standard methodology. This paper presents an overview of a system development and modeling process with SysML at the concept design stage using a position-variable shock control bumps system as an example. In addition to the system modeling, safety and reliability analyses have to be considered during the design process. To keep both, the model and the associated safety assessment consistent, this work introduces an extension of SysML to enable the execution of a functional hazard assessment (FHA) according to the ARP4754A and ARP 4761 guidelines. This is the first step in conducting a model-based safety assessment. Furthermore, a modeling process with concepts management methods is performed. In summary, the presented modeling process consists of three main parts: the system modeling, functional hazard assessment and concept management.

Sebastian Reiter,Marc Zeller,Kai Hoefig,Alexander Viehl,Oliver Bringmann,Wolfgang Rosenstiel

DOI: https://doi.org/10.48550/arXiv.2106.03368

2021-06-07

Software Engineering

Abstract:The growing complexity of safety-relevant systems causes an increasing effort for safety assurance. The reduction of development costs and time-to-market, while guaranteeing safe operation, is therefore a major challenge. In order to enable efficient safety assessment of complex architectures, we present an approach, which combines deductive safety analyses, in form of Component Fault Trees (CFTs), with an Error Effect Simulation (EES) for sanity checks. The combination reduces the drawbacks of both analyses, such as the subjective failure propagation assumptions in the CFTs or the determination of relevant fault scenarios for the EES. Both CFTs and the EES provide a modular, reusable and compositional safety analysis and are applicable throughout the whole design process. They support continuous model refinement and the reuse of conducted safety analysis and simulation models. Hence, safety goal violations can be identified in early design stages and the reuse of conducted safety analyses reduces the overhead for safety assessment.

Yiping Wang,Tiantian Wang,Xinglong Li,Xianghu Wu,K. Y. Liu

DOI: https://doi.org/10.1117/12.3026535

2024-01-01

Abstract:This paper proposes an extension of the SysML safety semantic approach to address the lack of safety and reliability semantics and the support for safety and reliability analysis of the model in SysML. On this basis, fault tree generation and analysis are performed. The method first adds semantic information about fault tree and redundant module to the model using the Stereotype extension mechanism, integrating design data and safety data through an extended configuration file in the SysML model. Secondly, sub-mode decomposition of Internal Block Diagram is conducted, and fault mode recognition is described in relation to fault tree mapping. Based on this, a search is conducted on the SysML model to obtain necessary information for fault tree generation, followed by an analysis of the generated fault tree.

Simon József Nagy,Bence Graics,Kristóf Marussy,András Vörös

DOI: https://doi.org/10.48550/arXiv.2004.13290

2020-04-28

Software Engineering

Abstract:Systems engineering approaches use high-level models to capture the architecture and behavior of the system. However, when safety engineers conduct safety and reliability analysis, they have to create formal models, such as fault-trees, according to the behavior described by the high-level engineering models and environmental/fault assumptions. Instead of creating low-level analysis models, our approach builds on engineering models in safety analysis by exploiting the simulation capabilities of recent probabilistic programming and simulation advancements. Thus, it could be applied in accordance with standards and best practices for the analysis of a critical automotive system as part of an industrial collaboration, while leveraging high-level block diagrams and statechart models created by engineers. We demonstrate the applicability of our approach in a case study adapted from the automotive system from the collaboration.

Ahlbrecht, Alexander,Sprockhoff, Jasper,Durak, Umut

DOI: https://doi.org/10.1007/s10270-024-01209-6

2024-09-13

Software & Systems Modeling

Abstract:The complexity of safety-critical systems is continuously increasing. To create safe systems despite the complexity, the system development requires a strong integration of system design and safety activities. A promising choice for integrating system design and safety activities are model-based approaches. They can help to handle complexity through abstraction, automation, and reuse and are applied to design, analyze, and assure systems. In practice, however, there is often a disconnect between the model-based design and safety activities. At the same time, there is often a delay until recent approaches are available in model-based frameworks. As a result, the advantages of the models are often not fully utilized. Therefore, this article proposes a framework that integrates recent approaches for system design (model-based systems engineering), safety analysis (system-theoretic process analysis), and safety assurance (goal structuring notation). The framework is implemented in the systems modeling language (SysML), and the focus is placed on the connection between the safety analysis and safety assurance activities. It is shown how the model-based integration enables tool assistance for the systematic creation, analysis, and maintenance of safety artifacts. The framework is demonstrated with the system design, safety analysis, and safety assurance of a collision avoidance system for aircraft. The model-based nature of the design and safety activities is utilized to support the systematic generation, analysis, and maintenance of safety artifacts.

computer science, software engineering

Yue Li,Yian Zhu,Chunyan Ma,Meng Xu

DOI: https://doi.org/10.1007/978-3-642-23496-5_18

2011-01-01

Abstract:System safety analysis based on fault tree has been widely used for providing assurance to the stringent safety requirement of safety-critical systems. Generating fault trees from models described in AADL, a promising standard language for modeling complicated embedded system, would realize the automation of system safety analysis which is traditionally performed manually. This paper proposes a whole method for constructing fault trees from AADL models, whose main idea is to extract fault information from AADL models by dynamically tracing the possible fault sources of the specified fault objective, store them into a proposed database structure, and then construct fault trees based on the extracted fault information in the database structure. Further, the challenge posed by the common problems of deadlock and fault tree sharing is resolved by one algorithm called Sharing_Label in our method. We prove the correctness of the whole method theoretically.

Xiongpeng Hu,Jing Liu,Hui Dou,HongTao Chen,Yuhong Zhang

DOI: https://doi.org/10.1109/qrs60937.2023.00060

2023-01-01

Abstract:Safety analysis is a crucial process in developing safety-critical systems, allowing the identification of potential design issues that may lead to hazards. Automation of this process has become the focus of research in the critical system domain due to the growing complexity of systems. This paper proposes a Component Fault Trees (CFTs) based Failure Mode and Effects Analysis approach for Architecture Analysis and Design Language (AADL) models. First, we propose a methodology for directly generating CFTs from AADL models to display the overall failure behavior of the system. Then we extend the Error Model Annex Version 2 (EMV2) with DFMEA property to express the assessment criteria of error formally, and conduct Design Failure Mode and Effects Analysis (DFMEA) whose core step is guided by CFTs. We discuss our approach with its tool support and evaluate its applicability in driving the design of safety-critical systems through a case study.

Marco Bozzano,Alessandro Cimatti,Marco Gario,David Jones,Cristian Mattarei

DOI: https://doi.org/10.1007/s00165-021-00532-9

2021-03-01

Formal Aspects of Computing

Abstract:Abstract The system design process needs to cope with the increasing complexity and size of systems,motivating the replacement of labor intensivemanual techniques with automated and semi-automated approaches.Recently, formal methods techniques, such as model-based verification and safety assessment, have been increasingly used to model systems under fault and to analyze them, generating artifacts such as fault trees and FMEA tables. In this paper, we show how to apply model-based techniques to a realistic case study from the avionics domain: a high integrity power distribution system, the Triple Modular Generator (TMG). The TMG is composed of a redundant and reconfigurable plant and a controller that must guarantee a high level of reliability. The case study is a significant challenge, from the modeling perspective, since it implements a complex reconfiguration policy, specified via a number of requirements in natural language, including a set of mutually dependent and potentially conflicting priority constraints. Moreover, from the verification standpoint, the controller must be able to handle an exponential number of possible faulty configurations. Our contribution is twofold. First, we formalize and validate the requirements and, using a constraint-based modeling style, we synthesize a correct by construction controller, avoiding the enumeration of all possible fault configurations, as is currently done by manual approaches. Second, we describe a comprehensive methodology and process, supported by the xSAP safety analysis platform that targets the modeling and safety assessment of faulty systems. Using xSAP, we are able to automatically extract minimal cut sets for the TMG. We demonstrate the scalability of our approach by analyzing a parametric version of the TMG case study that contains more than 700 variables and 90 faults.

computer science, software engineering

Omar el Ariss,Dianxiang Xu,W. Eric Wong,Yuting Chen,Yann-Hang Lee

DOI: https://doi.org/10.1109/compsac.2008.19

2008-01-01

Abstract:As software systems are encompassing a wide range of fields and applications, software reliability becomes a crucial step. The need for safety analysis and test cases that have high probability to uncover plausible faults are necessities in proving software quality. System models that represent only the operational behavioral of a system are incomplete sources for deriving test cases and performing safety analysis before the implementation process. Therefore, a system model that encompasses faults is required. This paper presents a technique that formalizes a safety model through the incorporation of faults with system specifications. The technique focuses on introducing semantic faults through the integration of fault trees with system specifications or statechart. The method uses a set of systematic transformation rules that tries to maintain the semantics of both fault trees and statechart representations during the transformation of fault trees into statechart notations.

Wolfgang Weber,Heidemarie Tondok,Michael Bachmayer

DOI: https://doi.org/10.1007/978-3-540-39878-3_23

2003-01-01

Abstract:The fault tree analysis is a well established method in system safety and reliability assessment. We transferred the principles of this technique to an assembler code analysis, regarding any incorrect output of the software as the undesired top-level event. Starting from the instructions providing the outputs and tracing back to all instructions contributing to these outputs a hierarchical system of references is generated that may graphically be represented as a fault tree. To cope with the large number of relations in the code, a tool suite has been developed, which automatically creates these references and checks for unfulfilled preconditions of instructions. The tool was applied to the operational software of an inertial measurement unit, which provides safety critical signals for artificial stabilization of an aircraft. The method and its implementation as a software tool is presented and the benefits, surprising results, and limitations we have experienced are discussed.

Marc Zeller,Kai Hoefig,Jean-Pascal Schwinn

DOI: https://doi.org/10.48550/arXiv.2105.15002

2021-05-31

Software Engineering

Abstract:The growing size and complexity of software in embedded systems poses new challenges to the safety assessment of embedded control systems. In industrial practice, the control software is mostly treated as a black box during the system's safety analysis. The appropriate representation of the failure propagation of the software is a pressing need in order to increase the accuracy of safety analyses. However, it also increase the effort for creating and maintaining the safety analysis models (such as fault trees) significantly. In this work, we present a method to automatically generate Component Fault Trees from Continuous Function Charts. This method aims at generating the failure propagation model of the detailed software specification. Hence, control software can be included into safety analyses without additional manual effort required to construct the safety analysis models of the software. Moreover, safety analyses created during early system specification phases can be verified by comparing it with the automatically generated one in the detailed specification phased.

Marc Zeller,Francesco Montrone

DOI: https://doi.org/10.1109/ICSRS.2018.8688854

2021-06-01

Abstract:Fault Tree analysis is a widely used failure analysis methodology to assess a system in terms of safety or reliability in many industrial application domains. However, with Fault Tree methodology there is no possibility to express a temporal sequence of events or state-dependent behavior of software-controlled systems. In contrast to this, Markov Chains are a state-based analysis technique based on a stochastic model. But the use of Markov Chains for failure analysis of complex safety-critical systems is limited due to exponential explosion of the size of the model. In this paper, we present a concept to integrate Markov Chains in Component Fault Tree models. Based on a component concept for Markov Chains, which enables the association of Markov Chains to system development elements such as components, complex or software-controlled systems can be analyzed w.r.t. safety or reliability in a modular and compositional way. We illustrate this approach using a case study from the automotive domain.

Software Engineering

Jiashuo Zhang,Derong Chen,Peng Gao,Zepeng Wang,Jingang Zhang

DOI: https://doi.org/10.3390/pr12122826

IF: 3.5

2024-12-10

Processes

Abstract:Ensuring user safety has become increasingly essential, especially for safety-critical systems (SCSs) that are vital to human life or significant property. However, the prevailing design-for-testability (DFT) model, which relies on dependencies, overlooks safety-related faults and lacks adequate metrics for evaluating system safety. Consequently, the current dependency model is insufficient in effectively assessing system safety. To address this issue, this study has developed a comprehensive DFT model that integrates system safety considerations, known as the safety-related fault model (SRFM). SRFM uses internal block diagrams (IBDs) as a means, employs a nine-tuple model to create a static automatic fault tree, and establishes mapping relationships. Sensitivity analysis is utilized to quantify system safety factors, resulting in a safety-related dependency matrix. Two crucial concepts, design safety sensitivity (DSS) and theoretical safety sensitivity (TSS), are introduced to quantify system safety loss after a fault occurs. Additionally, two new safety-related testability metrics—test advantage of safety assessment on probability (TASAP) and test advantage of safety assessment on number (TASAN)—are developed for a robust evaluation of system safety. To validate the effectiveness of SRFM, it is applied to an electronic safety and arming device (ESA), demonstrating superior performance in TASAP and TASAN compared to existing models, with a negligible impact on expected test cost (ETC).

engineering, chemical

Andrey Morozov,Thomas Mutzke,Kai Ding

DOI: https://doi.org/10.1115/1.4051781

2021-07-14

Abstract:Abstract Modern technical systems consist of heterogeneous components, including mechanical parts, hardware, and the extensive software part that allows the autonomous system operation. The heterogeneity and autonomy require appropriate models that can describe the mutual interaction of the components. UML and SysML are widely accepted candidates for system modeling and model-based analysis in early design phases, including the analysis of reliability properties. UML and SysML models are semi-formal. Thus, transformation methods to formal models are required. Recently, we introduced a stochastic Dual-graph Error Propagation Model (DEPM). This model captures control and data flow structures of a system and allows the computation of advanced risk metrics using probabilistic model checking techniques. This article presents a new automated transformation method of an annotated State Machine Diagram, extended with Activity Diagrams, to a hierarchical DEPM. This method will help reliability engineers to keep error propagation models up to date and ensure their consistency with the available system models. The capabilities and limitations of transformation algorithm is described in detail and demonstrated on a complete model-based error propagation analysis of an autonomous medical patient table.

Huiyu Liu,Jing Liu,Wei Yin,Haiying Sun,Chenchen Yang

DOI: https://doi.org/10.1109/qrs57517.2022.00047

2022-01-01

Abstract:Establishing formal modeling and verification methods for requirements has become the key to enhancing avionics software’s safety and development efficiency. As the mainstream modeling language used in Model-Based Software Engineering (MBSE), SysML is often applied to software requirements specifications. However, due to the lack of systematic and rigorous semantic definitions, SysML can cause problems in terms of accuracy and consistency in system development, threatening the correctness of safety-critical avionics software. To address the problem, this paper defines Safety SysML State Machine, an extended SysML state machine for safety control functions. Stepwise, the authors illustrate the formal specification and the refinement rules of the Safety SysML State Machine to construct the avionics integration model. Furthermore, a tool is implemented integrating the modeling and verification of the Safety SysML State Machine. Our contribution has a profound potential to broaden the use of MBSE and its well-known advantages in safety-critical applications. A specific case study on the aircraft roll angle control system demonstrates the effectiveness of our approach and the tool.

Raffaela Groner,Thomas Witte,Alexander Raschke,Sophie Hirn,Irdin Pekaric,Markus Frick,Matthias Tichy,Michael Felderer

DOI: https://doi.org/10.1007/978-3-031-40923-3_9

2023-09-19

Abstract:Joint safety and security analysis of cyber-physical systems is a necessary step to correctly capture inter-dependencies between these properties. Attack-Fault Trees represent a combination of dynamic Fault Trees and Attack Trees and can be used to model and model-check a holistic view on both safety and security. Manually creating a complete AFT for the whole system is, however, a daunting task. It needs to span multiple abstraction layers, e.g., abstract application architecture and data flow as well as system and library dependencies that are affected by various vulnerabilities. We present an AFT generation tool-chain that facilitates this task using partial Fault and Attack Trees that are either manually created or mined from vulnerability databases. We semi-automatically create two system models that provide the necessary information to automatically combine these partial Fault and Attack Trees into complete AFTs using graph transformation rules.

Cryptography and Security,Formal Languages and Automata Theory,Software Engineering